Vulnerability Description
OpenViking versions 0.2.1 and prior, fixed in commit 46b3e76, contain a path traversal vulnerability in the .ovpack import handling that allows attackers to write files outside the intended import directory. Attackers can craft malicious ZIP archives with traversal sequences, absolute paths, or drive prefixes in member names to overwrite or create arbitrary files with the importing process privileges.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Volcengine | Openviking | < 0.2.1 |
Related Weaknesses (CWE)
References
- https://github.com/volcengine/OpenViking/commit/46b3e76e28b9b3eee73693720c9ec488Patch
- https://github.com/volcengine/OpenViking/issues/342Issue Tracking
- https://www.vulncheck.com/advisories/openviking-ovpack-import-zip-slip-path-travPatchThird Party Advisory
- https://github.com/volcengine/OpenViking/issues/342Issue Tracking
FAQ
What is CVE-2026-28518?
CVE-2026-28518 is a vulnerability with a CVSS score of 7.8 (HIGH). OpenViking versions 0.2.1 and prior, fixed in commit 46b3e76, contain a path traversal vulnerability in the .ovpack import handling that allows attackers to write files outside the intended import dir...
How severe is CVE-2026-28518?
CVE-2026-28518 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-28518?
Check the references section above for vendor advisories and patch information. Affected products include: Volcengine Openviking.